0c43658a4e4162a9ac41b72edec61222bce0353037d3fe6bad6fd694302124fb

Analysis

max time kernel
151s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dabbdba5e8900exeexeexeex.exe
Size

204KB
MD5

2dabbdba5e89005d06afa0ac21414beb
SHA1

2ba12aedc4eafcd274f969db3e160d86f206ae97
SHA256

0c43658a4e4162a9ac41b72edec61222bce0353037d3fe6bad6fd694302124fb
SHA512

796f7d4922c2b4e8f6aeb790d4d36b57e5c72f2790580f3afa2f73b4afd305ed3d477a08b18e3f1be9f21993c42d48cc25eb851a982b3bd64dfc994cbefb5f49
SSDEEP

1536:1EGh0o4l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o4l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4155E441-20E0-4d1d-B637-7D779BF4E77D}\stubpath = "C:\\Windows\\{4155E441-20E0-4d1d-B637-7D779BF4E77D}.exe"	2dabbdba5e8900exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{115DA761-C935-41c9-A6BA-FC0FCA3DB05C}\stubpath = "C:\\Windows\\{115DA761-C935-41c9-A6BA-FC0FCA3DB05C}.exe"	{4E68AA7B-049C-4bfd-9F57-8DB38192C698}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3351745D-6B6C-4825-B181-907A93FBAFC1}	{28BBFC9E-98F3-4346-BB94-D133783E12EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3351745D-6B6C-4825-B181-907A93FBAFC1}\stubpath = "C:\\Windows\\{3351745D-6B6C-4825-B181-907A93FBAFC1}.exe"	{28BBFC9E-98F3-4346-BB94-D133783E12EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8DB12B5-63A1-4596-A022-47242D90B62D}	{3351745D-6B6C-4825-B181-907A93FBAFC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A7B385C-C175-4574-AD1A-66CB2B87AC93}	{C8DB12B5-63A1-4596-A022-47242D90B62D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{431856D8-1099-454f-BAAB-571FDE2CA89C}\stubpath = "C:\\Windows\\{431856D8-1099-454f-BAAB-571FDE2CA89C}.exe"	{1EA4DFAF-09A0-4e03-BBA2-86CD8984776F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4155E441-20E0-4d1d-B637-7D779BF4E77D}	2dabbdba5e8900exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{115DA761-C935-41c9-A6BA-FC0FCA3DB05C}	{4E68AA7B-049C-4bfd-9F57-8DB38192C698}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9999655-903E-48d0-BF9C-AB7999B7196C}\stubpath = "C:\\Windows\\{D9999655-903E-48d0-BF9C-AB7999B7196C}.exe"	{115DA761-C935-41c9-A6BA-FC0FCA3DB05C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28BBFC9E-98F3-4346-BB94-D133783E12EB}	{D9999655-903E-48d0-BF9C-AB7999B7196C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28BBFC9E-98F3-4346-BB94-D133783E12EB}\stubpath = "C:\\Windows\\{28BBFC9E-98F3-4346-BB94-D133783E12EB}.exe"	{D9999655-903E-48d0-BF9C-AB7999B7196C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E68AA7B-049C-4bfd-9F57-8DB38192C698}\stubpath = "C:\\Windows\\{4E68AA7B-049C-4bfd-9F57-8DB38192C698}.exe"	{4155E441-20E0-4d1d-B637-7D779BF4E77D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9999655-903E-48d0-BF9C-AB7999B7196C}	{115DA761-C935-41c9-A6BA-FC0FCA3DB05C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{527452CA-247F-4e98-B4EC-1B09193D112C}	{4A7B385C-C175-4574-AD1A-66CB2B87AC93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C316B7AF-111B-4fc5-89F5-2D995D4E458F}	{527452CA-247F-4e98-B4EC-1B09193D112C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EA4DFAF-09A0-4e03-BBA2-86CD8984776F}\stubpath = "C:\\Windows\\{1EA4DFAF-09A0-4e03-BBA2-86CD8984776F}.exe"	{C316B7AF-111B-4fc5-89F5-2D995D4E458F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{431856D8-1099-454f-BAAB-571FDE2CA89C}	{1EA4DFAF-09A0-4e03-BBA2-86CD8984776F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E68AA7B-049C-4bfd-9F57-8DB38192C698}	{4155E441-20E0-4d1d-B637-7D779BF4E77D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8DB12B5-63A1-4596-A022-47242D90B62D}\stubpath = "C:\\Windows\\{C8DB12B5-63A1-4596-A022-47242D90B62D}.exe"	{3351745D-6B6C-4825-B181-907A93FBAFC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A7B385C-C175-4574-AD1A-66CB2B87AC93}\stubpath = "C:\\Windows\\{4A7B385C-C175-4574-AD1A-66CB2B87AC93}.exe"	{C8DB12B5-63A1-4596-A022-47242D90B62D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{527452CA-247F-4e98-B4EC-1B09193D112C}\stubpath = "C:\\Windows\\{527452CA-247F-4e98-B4EC-1B09193D112C}.exe"	{4A7B385C-C175-4574-AD1A-66CB2B87AC93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C316B7AF-111B-4fc5-89F5-2D995D4E458F}\stubpath = "C:\\Windows\\{C316B7AF-111B-4fc5-89F5-2D995D4E458F}.exe"	{527452CA-247F-4e98-B4EC-1B09193D112C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EA4DFAF-09A0-4e03-BBA2-86CD8984776F}	{C316B7AF-111B-4fc5-89F5-2D995D4E458F}.exe

Executes dropped EXE 12 IoCs

pid	Process
4668	{4155E441-20E0-4d1d-B637-7D779BF4E77D}.exe
4092	{4E68AA7B-049C-4bfd-9F57-8DB38192C698}.exe
5072	{115DA761-C935-41c9-A6BA-FC0FCA3DB05C}.exe
3660	{D9999655-903E-48d0-BF9C-AB7999B7196C}.exe
2080	{28BBFC9E-98F3-4346-BB94-D133783E12EB}.exe
3148	{3351745D-6B6C-4825-B181-907A93FBAFC1}.exe
4156	{C8DB12B5-63A1-4596-A022-47242D90B62D}.exe
1848	{4A7B385C-C175-4574-AD1A-66CB2B87AC93}.exe
1552	{527452CA-247F-4e98-B4EC-1B09193D112C}.exe
3700	{C316B7AF-111B-4fc5-89F5-2D995D4E458F}.exe
3144	{1EA4DFAF-09A0-4e03-BBA2-86CD8984776F}.exe
3628	{431856D8-1099-454f-BAAB-571FDE2CA89C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4A7B385C-C175-4574-AD1A-66CB2B87AC93}.exe	{C8DB12B5-63A1-4596-A022-47242D90B62D}.exe
File created	C:\Windows\{527452CA-247F-4e98-B4EC-1B09193D112C}.exe	{4A7B385C-C175-4574-AD1A-66CB2B87AC93}.exe
File created	C:\Windows\{C316B7AF-111B-4fc5-89F5-2D995D4E458F}.exe	{527452CA-247F-4e98-B4EC-1B09193D112C}.exe
File created	C:\Windows\{1EA4DFAF-09A0-4e03-BBA2-86CD8984776F}.exe	{C316B7AF-111B-4fc5-89F5-2D995D4E458F}.exe
File created	C:\Windows\{4155E441-20E0-4d1d-B637-7D779BF4E77D}.exe	2dabbdba5e8900exeexeexeex.exe
File created	C:\Windows\{4E68AA7B-049C-4bfd-9F57-8DB38192C698}.exe	{4155E441-20E0-4d1d-B637-7D779BF4E77D}.exe
File created	C:\Windows\{115DA761-C935-41c9-A6BA-FC0FCA3DB05C}.exe	{4E68AA7B-049C-4bfd-9F57-8DB38192C698}.exe
File created	C:\Windows\{28BBFC9E-98F3-4346-BB94-D133783E12EB}.exe	{D9999655-903E-48d0-BF9C-AB7999B7196C}.exe
File created	C:\Windows\{D9999655-903E-48d0-BF9C-AB7999B7196C}.exe	{115DA761-C935-41c9-A6BA-FC0FCA3DB05C}.exe
File created	C:\Windows\{3351745D-6B6C-4825-B181-907A93FBAFC1}.exe	{28BBFC9E-98F3-4346-BB94-D133783E12EB}.exe
File created	C:\Windows\{C8DB12B5-63A1-4596-A022-47242D90B62D}.exe	{3351745D-6B6C-4825-B181-907A93FBAFC1}.exe
File created	C:\Windows\{431856D8-1099-454f-BAAB-571FDE2CA89C}.exe	{1EA4DFAF-09A0-4e03-BBA2-86CD8984776F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4984	2dabbdba5e8900exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4668	{4155E441-20E0-4d1d-B637-7D779BF4E77D}.exe
Token: SeIncBasePriorityPrivilege	4092	{4E68AA7B-049C-4bfd-9F57-8DB38192C698}.exe
Token: SeIncBasePriorityPrivilege	5072	{115DA761-C935-41c9-A6BA-FC0FCA3DB05C}.exe
Token: SeIncBasePriorityPrivilege	3660	{D9999655-903E-48d0-BF9C-AB7999B7196C}.exe
Token: SeIncBasePriorityPrivilege	2080	{28BBFC9E-98F3-4346-BB94-D133783E12EB}.exe
Token: SeIncBasePriorityPrivilege	3148	{3351745D-6B6C-4825-B181-907A93FBAFC1}.exe
Token: SeIncBasePriorityPrivilege	4156	{C8DB12B5-63A1-4596-A022-47242D90B62D}.exe
Token: SeIncBasePriorityPrivilege	1848	{4A7B385C-C175-4574-AD1A-66CB2B87AC93}.exe
Token: SeIncBasePriorityPrivilege	1552	{527452CA-247F-4e98-B4EC-1B09193D112C}.exe
Token: SeIncBasePriorityPrivilege	3700	{C316B7AF-111B-4fc5-89F5-2D995D4E458F}.exe
Token: SeIncBasePriorityPrivilege	3144	{1EA4DFAF-09A0-4e03-BBA2-86CD8984776F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 4668	4984	2dabbdba5e8900exeexeexeex.exe	83
PID 4984 wrote to memory of 4668	4984	2dabbdba5e8900exeexeexeex.exe	83
PID 4984 wrote to memory of 4668	4984	2dabbdba5e8900exeexeexeex.exe	83
PID 4984 wrote to memory of 2636	4984	2dabbdba5e8900exeexeexeex.exe	84
PID 4984 wrote to memory of 2636	4984	2dabbdba5e8900exeexeexeex.exe	84
PID 4984 wrote to memory of 2636	4984	2dabbdba5e8900exeexeexeex.exe	84
PID 4668 wrote to memory of 4092	4668	{4155E441-20E0-4d1d-B637-7D779BF4E77D}.exe	85
PID 4668 wrote to memory of 4092	4668	{4155E441-20E0-4d1d-B637-7D779BF4E77D}.exe	85
PID 4668 wrote to memory of 4092	4668	{4155E441-20E0-4d1d-B637-7D779BF4E77D}.exe	85
PID 4668 wrote to memory of 2516	4668	{4155E441-20E0-4d1d-B637-7D779BF4E77D}.exe	86
PID 4668 wrote to memory of 2516	4668	{4155E441-20E0-4d1d-B637-7D779BF4E77D}.exe	86
PID 4668 wrote to memory of 2516	4668	{4155E441-20E0-4d1d-B637-7D779BF4E77D}.exe	86
PID 4092 wrote to memory of 5072	4092	{4E68AA7B-049C-4bfd-9F57-8DB38192C698}.exe	89
PID 4092 wrote to memory of 5072	4092	{4E68AA7B-049C-4bfd-9F57-8DB38192C698}.exe	89
PID 4092 wrote to memory of 5072	4092	{4E68AA7B-049C-4bfd-9F57-8DB38192C698}.exe	89
PID 4092 wrote to memory of 1804	4092	{4E68AA7B-049C-4bfd-9F57-8DB38192C698}.exe	90
PID 4092 wrote to memory of 1804	4092	{4E68AA7B-049C-4bfd-9F57-8DB38192C698}.exe	90
PID 4092 wrote to memory of 1804	4092	{4E68AA7B-049C-4bfd-9F57-8DB38192C698}.exe	90
PID 5072 wrote to memory of 3660	5072	{115DA761-C935-41c9-A6BA-FC0FCA3DB05C}.exe	91
PID 5072 wrote to memory of 3660	5072	{115DA761-C935-41c9-A6BA-FC0FCA3DB05C}.exe	91
PID 5072 wrote to memory of 3660	5072	{115DA761-C935-41c9-A6BA-FC0FCA3DB05C}.exe	91
PID 5072 wrote to memory of 3296	5072	{115DA761-C935-41c9-A6BA-FC0FCA3DB05C}.exe	92
PID 5072 wrote to memory of 3296	5072	{115DA761-C935-41c9-A6BA-FC0FCA3DB05C}.exe	92
PID 5072 wrote to memory of 3296	5072	{115DA761-C935-41c9-A6BA-FC0FCA3DB05C}.exe	92
PID 3660 wrote to memory of 2080	3660	{D9999655-903E-48d0-BF9C-AB7999B7196C}.exe	93
PID 3660 wrote to memory of 2080	3660	{D9999655-903E-48d0-BF9C-AB7999B7196C}.exe	93
PID 3660 wrote to memory of 2080	3660	{D9999655-903E-48d0-BF9C-AB7999B7196C}.exe	93
PID 3660 wrote to memory of 2476	3660	{D9999655-903E-48d0-BF9C-AB7999B7196C}.exe	94
PID 3660 wrote to memory of 2476	3660	{D9999655-903E-48d0-BF9C-AB7999B7196C}.exe	94
PID 3660 wrote to memory of 2476	3660	{D9999655-903E-48d0-BF9C-AB7999B7196C}.exe	94
PID 2080 wrote to memory of 3148	2080	{28BBFC9E-98F3-4346-BB94-D133783E12EB}.exe	95
PID 2080 wrote to memory of 3148	2080	{28BBFC9E-98F3-4346-BB94-D133783E12EB}.exe	95
PID 2080 wrote to memory of 3148	2080	{28BBFC9E-98F3-4346-BB94-D133783E12EB}.exe	95
PID 2080 wrote to memory of 3016	2080	{28BBFC9E-98F3-4346-BB94-D133783E12EB}.exe	96
PID 2080 wrote to memory of 3016	2080	{28BBFC9E-98F3-4346-BB94-D133783E12EB}.exe	96
PID 2080 wrote to memory of 3016	2080	{28BBFC9E-98F3-4346-BB94-D133783E12EB}.exe	96
PID 3148 wrote to memory of 4156	3148	{3351745D-6B6C-4825-B181-907A93FBAFC1}.exe	97
PID 3148 wrote to memory of 4156	3148	{3351745D-6B6C-4825-B181-907A93FBAFC1}.exe	97
PID 3148 wrote to memory of 4156	3148	{3351745D-6B6C-4825-B181-907A93FBAFC1}.exe	97
PID 3148 wrote to memory of 1004	3148	{3351745D-6B6C-4825-B181-907A93FBAFC1}.exe	98
PID 3148 wrote to memory of 1004	3148	{3351745D-6B6C-4825-B181-907A93FBAFC1}.exe	98
PID 3148 wrote to memory of 1004	3148	{3351745D-6B6C-4825-B181-907A93FBAFC1}.exe	98
PID 4156 wrote to memory of 1848	4156	{C8DB12B5-63A1-4596-A022-47242D90B62D}.exe	99
PID 4156 wrote to memory of 1848	4156	{C8DB12B5-63A1-4596-A022-47242D90B62D}.exe	99
PID 4156 wrote to memory of 1848	4156	{C8DB12B5-63A1-4596-A022-47242D90B62D}.exe	99
PID 4156 wrote to memory of 4236	4156	{C8DB12B5-63A1-4596-A022-47242D90B62D}.exe	100
PID 4156 wrote to memory of 4236	4156	{C8DB12B5-63A1-4596-A022-47242D90B62D}.exe	100
PID 4156 wrote to memory of 4236	4156	{C8DB12B5-63A1-4596-A022-47242D90B62D}.exe	100
PID 1848 wrote to memory of 1552	1848	{4A7B385C-C175-4574-AD1A-66CB2B87AC93}.exe	101
PID 1848 wrote to memory of 1552	1848	{4A7B385C-C175-4574-AD1A-66CB2B87AC93}.exe	101
PID 1848 wrote to memory of 1552	1848	{4A7B385C-C175-4574-AD1A-66CB2B87AC93}.exe	101
PID 1848 wrote to memory of 4176	1848	{4A7B385C-C175-4574-AD1A-66CB2B87AC93}.exe	102
PID 1848 wrote to memory of 4176	1848	{4A7B385C-C175-4574-AD1A-66CB2B87AC93}.exe	102
PID 1848 wrote to memory of 4176	1848	{4A7B385C-C175-4574-AD1A-66CB2B87AC93}.exe	102
PID 1552 wrote to memory of 3700	1552	{527452CA-247F-4e98-B4EC-1B09193D112C}.exe	105
PID 1552 wrote to memory of 3700	1552	{527452CA-247F-4e98-B4EC-1B09193D112C}.exe	105
PID 1552 wrote to memory of 3700	1552	{527452CA-247F-4e98-B4EC-1B09193D112C}.exe	105
PID 1552 wrote to memory of 3972	1552	{527452CA-247F-4e98-B4EC-1B09193D112C}.exe	106
PID 1552 wrote to memory of 3972	1552	{527452CA-247F-4e98-B4EC-1B09193D112C}.exe	106
PID 1552 wrote to memory of 3972	1552	{527452CA-247F-4e98-B4EC-1B09193D112C}.exe	106
PID 3700 wrote to memory of 3144	3700	{C316B7AF-111B-4fc5-89F5-2D995D4E458F}.exe	107
PID 3700 wrote to memory of 3144	3700	{C316B7AF-111B-4fc5-89F5-2D995D4E458F}.exe	107
PID 3700 wrote to memory of 3144	3700	{C316B7AF-111B-4fc5-89F5-2D995D4E458F}.exe	107
PID 3700 wrote to memory of 3828	3700	{C316B7AF-111B-4fc5-89F5-2D995D4E458F}.exe	108

C:\Users\Admin\AppData\Local\Temp\2dabbdba5e8900exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\2dabbdba5e8900exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\{4155E441-20E0-4d1d-B637-7D779BF4E77D}.exe
  C:\Windows\{4155E441-20E0-4d1d-B637-7D779BF4E77D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\{4E68AA7B-049C-4bfd-9F57-8DB38192C698}.exe
    C:\Windows\{4E68AA7B-049C-4bfd-9F57-8DB38192C698}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4092
  - - C:\Windows\{115DA761-C935-41c9-A6BA-FC0FCA3DB05C}.exe
      C:\Windows\{115DA761-C935-41c9-A6BA-FC0FCA3DB05C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5072
    - - C:\Windows\{D9999655-903E-48d0-BF9C-AB7999B7196C}.exe
        
        C:\Windows\{D9999655-903E-48d0-BF9C-AB7999B7196C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3660
      - C:\Windows\{28BBFC9E-98F3-4346-BB94-D133783E12EB}.exe
        
        C:\Windows\{28BBFC9E-98F3-4346-BB94-D133783E12EB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\{3351745D-6B6C-4825-B181-907A93FBAFC1}.exe
        
        C:\Windows\{3351745D-6B6C-4825-B181-907A93FBAFC1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\{C8DB12B5-63A1-4596-A022-47242D90B62D}.exe
        
        C:\Windows\{C8DB12B5-63A1-4596-A022-47242D90B62D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\{4A7B385C-C175-4574-AD1A-66CB2B87AC93}.exe
        
        C:\Windows\{4A7B385C-C175-4574-AD1A-66CB2B87AC93}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\{527452CA-247F-4e98-B4EC-1B09193D112C}.exe
        
        C:\Windows\{527452CA-247F-4e98-B4EC-1B09193D112C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\{C316B7AF-111B-4fc5-89F5-2D995D4E458F}.exe
        
        C:\Windows\{C316B7AF-111B-4fc5-89F5-2D995D4E458F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\{1EA4DFAF-09A0-4e03-BBA2-86CD8984776F}.exe
        
        C:\Windows\{1EA4DFAF-09A0-4e03-BBA2-86CD8984776F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3144
        
        C:\Windows\{431856D8-1099-454f-BAAB-571FDE2CA89C}.exe
        
        C:\Windows\{431856D8-1099-454f-BAAB-571FDE2CA89C}.exe
        13⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EA4D~1.EXE > nul
        13⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C316B~1.EXE > nul
        12⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52745~1.EXE > nul
        11⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A7B3~1.EXE > nul
        10⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8DB1~1.EXE > nul
        9⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33517~1.EXE > nul
        8⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28BBF~1.EXE > nul
        7⤵
        
        PID:3016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9999~1.EXE > nul
        6⤵
        
        PID:2476
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{115DA~1.EXE > nul
        5⤵
        
        PID:3296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4E68A~1.EXE > nul
      4⤵
      PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4155E~1.EXE > nul
    3⤵
    PID:2516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2DABBD~1.EXE > nul
  2⤵
  PID:2636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{115DA761-C935-41c9-A6BA-FC0FCA3DB05C}.exe

Filesize
204KB

MD5
65272054ea2718194239eb18e5f58bbd

SHA1
181fbc280fd97f505c52e55cb4c260c9a2b7b7cf

SHA256
d6a35afd78b8d177e4974da14530fb5349ae026d8f95479707bb626c8d076fe1

SHA512
ec381681946af46f1cf8211fa5a00f5923e6a0b0ebb118e95646f52d031030482ef043ba774d6962a39f363b3883cc00e412530ff1ce5a83e34ebc29572c99da

Download Submit
C:\Windows\{115DA761-C935-41c9-A6BA-FC0FCA3DB05C}.exe

Filesize
204KB

MD5
65272054ea2718194239eb18e5f58bbd

SHA1
181fbc280fd97f505c52e55cb4c260c9a2b7b7cf

SHA256
d6a35afd78b8d177e4974da14530fb5349ae026d8f95479707bb626c8d076fe1

SHA512
ec381681946af46f1cf8211fa5a00f5923e6a0b0ebb118e95646f52d031030482ef043ba774d6962a39f363b3883cc00e412530ff1ce5a83e34ebc29572c99da

Download Submit
C:\Windows\{115DA761-C935-41c9-A6BA-FC0FCA3DB05C}.exe

Filesize
204KB

MD5
65272054ea2718194239eb18e5f58bbd

SHA1
181fbc280fd97f505c52e55cb4c260c9a2b7b7cf

SHA256
d6a35afd78b8d177e4974da14530fb5349ae026d8f95479707bb626c8d076fe1

SHA512
ec381681946af46f1cf8211fa5a00f5923e6a0b0ebb118e95646f52d031030482ef043ba774d6962a39f363b3883cc00e412530ff1ce5a83e34ebc29572c99da

Download Submit
C:\Windows\{1EA4DFAF-09A0-4e03-BBA2-86CD8984776F}.exe

Filesize
204KB

MD5
733f00442ee9545e282f76716cefc630

SHA1
528ce4aab08f2cca1b1dd959d6f0487aa3ff2070

SHA256
875c22c6c50b05746b9e8cb8a89450cdc3cc4bc88f336006db2cd8be2c59b711

SHA512
f162048e2a0acf1db057dfe82d81dc0a39f7203d453645f535180b647adbb5ce12367b5a25af7235dec0138f8d3927cd4451d874e407c6e0a9ee8ff0c4fc53dc

Download Submit
C:\Windows\{1EA4DFAF-09A0-4e03-BBA2-86CD8984776F}.exe

Filesize
204KB

MD5
733f00442ee9545e282f76716cefc630

SHA1
528ce4aab08f2cca1b1dd959d6f0487aa3ff2070

SHA256
875c22c6c50b05746b9e8cb8a89450cdc3cc4bc88f336006db2cd8be2c59b711

SHA512
f162048e2a0acf1db057dfe82d81dc0a39f7203d453645f535180b647adbb5ce12367b5a25af7235dec0138f8d3927cd4451d874e407c6e0a9ee8ff0c4fc53dc

Download Submit
C:\Windows\{28BBFC9E-98F3-4346-BB94-D133783E12EB}.exe

Filesize
204KB

MD5
c3dc238dfaf5530cfa70a55cc21ef2d4

SHA1
a9c87dc2db79f5934d7d174e5b8b3dc4fc0e41b5

SHA256
1a60e7a261278fda7e3735c11ea16992fb39b8e35a59547356b35338f10c79cc

SHA512
35eebee7acb640a9298f8f14db742453d00eae8092d54bd22404cfdd6b61b43f49277c8ae1f7059e79ca326d459daa4f87006a4b1d2b305bb3d8ef9f15721acf

Download Submit
C:\Windows\{28BBFC9E-98F3-4346-BB94-D133783E12EB}.exe

Filesize
204KB

MD5
c3dc238dfaf5530cfa70a55cc21ef2d4

SHA1
a9c87dc2db79f5934d7d174e5b8b3dc4fc0e41b5

SHA256
1a60e7a261278fda7e3735c11ea16992fb39b8e35a59547356b35338f10c79cc

SHA512
35eebee7acb640a9298f8f14db742453d00eae8092d54bd22404cfdd6b61b43f49277c8ae1f7059e79ca326d459daa4f87006a4b1d2b305bb3d8ef9f15721acf

Download Submit
C:\Windows\{3351745D-6B6C-4825-B181-907A93FBAFC1}.exe

Filesize
204KB

MD5
04c66a90345c48801088c5edcc4a5733

SHA1
806930c3cdbb14832b1f554d60fcd69d346aa62d

SHA256
da5159351ea8154bef60a2b8eb1fa7251a454ba34fe271874310534e48b2ecbf

SHA512
cfeb0ef47f009eb5d02031a7b799ef5539b8dfdc5cfa584c33d2153355a9e2d61f64d0515178a717dc49a40d54bb9b7464ddcdbe80d8ed80b349f09d41aeb16d

Download Submit
C:\Windows\{3351745D-6B6C-4825-B181-907A93FBAFC1}.exe

Filesize
204KB

MD5
04c66a90345c48801088c5edcc4a5733

SHA1
806930c3cdbb14832b1f554d60fcd69d346aa62d

SHA256
da5159351ea8154bef60a2b8eb1fa7251a454ba34fe271874310534e48b2ecbf

SHA512
cfeb0ef47f009eb5d02031a7b799ef5539b8dfdc5cfa584c33d2153355a9e2d61f64d0515178a717dc49a40d54bb9b7464ddcdbe80d8ed80b349f09d41aeb16d

Download Submit
C:\Windows\{4155E441-20E0-4d1d-B637-7D779BF4E77D}.exe

Filesize
204KB

MD5
a038871a66251c9cd2ad62c1ef794167

SHA1
d93388fcb40d72e4e27677674716ec479afba977

SHA256
af82dea15c6f87acd1bd615e0e896192ff38db72626323375df6012160a3fb0d

SHA512
35531e760d7925f8477a1b93509e7e70cadff981425e8a5644549a698b3de0f52ec82d3cbcf34f32a31ae398d399e83309157519970472f8864f91fafac42104

Download Submit
C:\Windows\{4155E441-20E0-4d1d-B637-7D779BF4E77D}.exe

Filesize
204KB

MD5
a038871a66251c9cd2ad62c1ef794167

SHA1
d93388fcb40d72e4e27677674716ec479afba977

SHA256
af82dea15c6f87acd1bd615e0e896192ff38db72626323375df6012160a3fb0d

SHA512
35531e760d7925f8477a1b93509e7e70cadff981425e8a5644549a698b3de0f52ec82d3cbcf34f32a31ae398d399e83309157519970472f8864f91fafac42104

Download Submit
C:\Windows\{431856D8-1099-454f-BAAB-571FDE2CA89C}.exe

Filesize
204KB

MD5
a391c092f9932708df82964f4dc22206

SHA1
761a9afa9816afcfc7683a41972384e5b36ce032

SHA256
da74166931f074a358b20868adcbeee908ca6733ba80943f50339ee425c5b3cd

SHA512
81147eeff3ccd61352b5ba4c9383a6a00f5d458002e2007c4e2cc7148e417ea41d3d92745f81c3599a8330383e92e470c1f3fb6eae6c5bbf8270a0041e5ccb64

Download Submit
C:\Windows\{431856D8-1099-454f-BAAB-571FDE2CA89C}.exe

Filesize
204KB

MD5
a391c092f9932708df82964f4dc22206

SHA1
761a9afa9816afcfc7683a41972384e5b36ce032

SHA256
da74166931f074a358b20868adcbeee908ca6733ba80943f50339ee425c5b3cd

SHA512
81147eeff3ccd61352b5ba4c9383a6a00f5d458002e2007c4e2cc7148e417ea41d3d92745f81c3599a8330383e92e470c1f3fb6eae6c5bbf8270a0041e5ccb64

Download Submit
C:\Windows\{4A7B385C-C175-4574-AD1A-66CB2B87AC93}.exe

Filesize
204KB

MD5
6b6d74ebd04b2fa3667ebef81492bea4

SHA1
8de6ccacdbaf2490605ec2366747a02f942f8226

SHA256
23e5ffd9b372b66ee84f0198a8e90a1b5726c7b4d976bf7f9324735eee6d13da

SHA512
5ae4a0d598daf34c617d8cb6cf513c06c9b8a452709850b848436a3b19a152289ee7de3bc8a683741ba2d7687c69b666b9f38d17f13acd299638e7652fd93db8

Download Submit
C:\Windows\{4A7B385C-C175-4574-AD1A-66CB2B87AC93}.exe

Filesize
204KB

MD5
6b6d74ebd04b2fa3667ebef81492bea4

SHA1
8de6ccacdbaf2490605ec2366747a02f942f8226

SHA256
23e5ffd9b372b66ee84f0198a8e90a1b5726c7b4d976bf7f9324735eee6d13da

SHA512
5ae4a0d598daf34c617d8cb6cf513c06c9b8a452709850b848436a3b19a152289ee7de3bc8a683741ba2d7687c69b666b9f38d17f13acd299638e7652fd93db8

Download Submit
C:\Windows\{4E68AA7B-049C-4bfd-9F57-8DB38192C698}.exe

Filesize
204KB

MD5
52abf975356b7e5a92b22962cb2f01a5

SHA1
dcd0b79133631d70b9c70b5fb2e5b2a5ab2713af

SHA256
c272d2dc157a58d3d4a89337fe68fbfd7f58dfe8c341f1fefa684a81ef47b389

SHA512
e1cbdfaa43264fa5e64e2c135f1a480ef147e287477e1bf5ed1041bc4dec010dc1950a7f30d11d3f51e64f0abbff2bce986a1572a29d578c2deaa38af432668d

Download Submit
C:\Windows\{4E68AA7B-049C-4bfd-9F57-8DB38192C698}.exe

Filesize
204KB

MD5
52abf975356b7e5a92b22962cb2f01a5

SHA1
dcd0b79133631d70b9c70b5fb2e5b2a5ab2713af

SHA256
c272d2dc157a58d3d4a89337fe68fbfd7f58dfe8c341f1fefa684a81ef47b389

SHA512
e1cbdfaa43264fa5e64e2c135f1a480ef147e287477e1bf5ed1041bc4dec010dc1950a7f30d11d3f51e64f0abbff2bce986a1572a29d578c2deaa38af432668d

Download Submit
C:\Windows\{527452CA-247F-4e98-B4EC-1B09193D112C}.exe

Filesize
204KB

MD5
b3b334970f547776121a9008adaa4f20

SHA1
53169727f4715a028a61e9ec726c37702964b69b

SHA256
7d83fbee7bb8145a0fa51c3c58674e74bb4f1e537962d64be84a0cfcf72241d0

SHA512
c03349c4593a1d692d8be78ac7bdb3a5d0decc69744026f3751c2631c12bb564e43e49246ce7782e4e59fa2797d225a347bde64415415b19fe3b3632dce5ed0c

Download Submit
C:\Windows\{527452CA-247F-4e98-B4EC-1B09193D112C}.exe

Filesize
204KB

MD5
b3b334970f547776121a9008adaa4f20

SHA1
53169727f4715a028a61e9ec726c37702964b69b

SHA256
7d83fbee7bb8145a0fa51c3c58674e74bb4f1e537962d64be84a0cfcf72241d0

SHA512
c03349c4593a1d692d8be78ac7bdb3a5d0decc69744026f3751c2631c12bb564e43e49246ce7782e4e59fa2797d225a347bde64415415b19fe3b3632dce5ed0c

Download Submit
C:\Windows\{C316B7AF-111B-4fc5-89F5-2D995D4E458F}.exe

Filesize
204KB

MD5
92b2daddbf7104ea7ecdfcf1b46d4058

SHA1
20cb3f492fdc0598016942269991c08c82c62085

SHA256
a1d8c3d8dafb08eb2e3dfd7ece60d47ca7bdab653398a649f65079ac21c9b6a7

SHA512
53f8070aa881e452c30419422b1247660e46d88631872db885070222d4136b1b3fb2a8cfdc06ee79f7dededd0a29cbc65c55670acb9fcff01994d9f25c2e40e5

Download Submit
C:\Windows\{C316B7AF-111B-4fc5-89F5-2D995D4E458F}.exe

Filesize
204KB

MD5
92b2daddbf7104ea7ecdfcf1b46d4058

SHA1
20cb3f492fdc0598016942269991c08c82c62085

SHA256
a1d8c3d8dafb08eb2e3dfd7ece60d47ca7bdab653398a649f65079ac21c9b6a7

SHA512
53f8070aa881e452c30419422b1247660e46d88631872db885070222d4136b1b3fb2a8cfdc06ee79f7dededd0a29cbc65c55670acb9fcff01994d9f25c2e40e5

Download Submit
C:\Windows\{C8DB12B5-63A1-4596-A022-47242D90B62D}.exe

Filesize
204KB

MD5
ab3d34d6ac1a554dc45e177a0d8479db

SHA1
5f4c4ac2d17f33bc6e6118ef423b3343446a5e61

SHA256
041fb00a11d66865d50350a564f277ec75ed3a2f2d1a134d1290e6484d8ddbc0

SHA512
7a3ced9f42020135ed51f55c854ccd4bed62870e3c01c3ea17d22de2a13c39cda16dbe34eae85ea542a8dbfe421b84e29124807a564ba6034e5db94c95fb0d8e

Download Submit
C:\Windows\{C8DB12B5-63A1-4596-A022-47242D90B62D}.exe

Filesize
204KB

MD5
ab3d34d6ac1a554dc45e177a0d8479db

SHA1
5f4c4ac2d17f33bc6e6118ef423b3343446a5e61

SHA256
041fb00a11d66865d50350a564f277ec75ed3a2f2d1a134d1290e6484d8ddbc0

SHA512
7a3ced9f42020135ed51f55c854ccd4bed62870e3c01c3ea17d22de2a13c39cda16dbe34eae85ea542a8dbfe421b84e29124807a564ba6034e5db94c95fb0d8e

Download Submit
C:\Windows\{D9999655-903E-48d0-BF9C-AB7999B7196C}.exe

Filesize
204KB

MD5
79f05b94361ba8c710100a23470cd1ee

SHA1
f9f38fa32a76ede009748bbf51c4caef489c782e

SHA256
4a7144b0c7df5ef72e7226c4dd8d3a87cd513befb901d0b2c507fdf4db39afe1

SHA512
558582b855ed5bc207ff9d752615f88e3385db61ed2fc1df017f67963acdf84ef88dde429963db6b864fc5d0870a4b6b21a4a04c3a2aa56bb8e481172d0f9b1f

Download Submit
C:\Windows\{D9999655-903E-48d0-BF9C-AB7999B7196C}.exe

Filesize
204KB

MD5
79f05b94361ba8c710100a23470cd1ee

SHA1
f9f38fa32a76ede009748bbf51c4caef489c782e

SHA256
4a7144b0c7df5ef72e7226c4dd8d3a87cd513befb901d0b2c507fdf4db39afe1

SHA512
558582b855ed5bc207ff9d752615f88e3385db61ed2fc1df017f67963acdf84ef88dde429963db6b864fc5d0870a4b6b21a4a04c3a2aa56bb8e481172d0f9b1f

Download Submit